Overview

overview

10

Static

static

10

0a36d74a14...04.exe

windows10-2004-x64

8

0b8b9525ea...96.exe

windows10-2004-x64

1

0bcbf39901...03.exe

windows10-2004-x64

10

0e5e999136...e7.exe

windows10-2004-x64

10

0fc0de254b...ce.exe

windows10-2004-x64

10

1a47c4fd5a...a8.exe

windows10-2004-x64

7

1a6ed538d9...ed.exe

windows10-2004-x64

7

1ac9b17068...d7.exe

windows10-2004-x64

8

1be6fdb2df...e9.exe

windows10-2004-x64

10

2bbbb9b0cd...b2.exe

windows10-2004-x64

10

2cda90e9e8...33.exe

windows10-2004-x64

3

2d58b1a373...aa.exe

windows10-2004-x64

5

2e966d3480...2e.exe

windows10-2004-x64

7

3a0297561d...1c.exe

windows10-2004-x64

10

3a90ad3258...8d.exe

windows10-2004-x64

6

3e76598b80...50.exe

windows10-2004-x64

10

4a5b5eb5a4...36.exe

windows10-2004-x64

10

4b482e8492...8c.exe

windows10-2004-x64

6

4bd46a2850...9c.exe

windows10-2004-x64

10

4cca8b360d...0a.exe

windows10-2004-x64

10

4e31114ffd...f7.exe

windows10-2004-x64

10

5ac2fcc4da...83.exe

windows10-2004-x64

10

5b25182d96...14.exe

windows10-2004-x64

7

5ddb366ead...46.exe

windows10-2004-x64

9

5f1364d246...bc.exe

windows10-2004-x64

10

6e0c9935ea...65.exe

windows10-2004-x64

1

6ea27426ff...08.exe

windows10-2004-x64

4

7dad12bd22...d2.exe

windows10-2004-x64

8

7db9e09e8b...71.exe

windows10-2004-x64

3

7e9af10bfe...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2025, 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7.exe

  • Size

    32KB

  • MD5

    325adebdd9f8c27cbdb7a0f8674469f4

  • SHA1

    aec054d040cf107f43b480e00c0a86ae4c7b5b76

  • SHA256

    0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7

  • SHA512

    137d81da8400a5c79d4eab0cef9e77d2403f71c4d89cbbc1cf7c880c1ca477abfc74380ecdbcd7620aa10137f201e406cd4c09ab4e5e671f999790c87b87a5d1

  • SSDEEP

    768:JpOkcFeazzw/6QIu4RJg4/F7e1gXkMGsosihCxLiNADHAgN/9VOhl:DOdFBA/6Q4RJg4/F7e1rMTXDLi6LN9VU

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

g574h9hd9.loseyourip.com:1605

Mutex

IaHsONiXUch62bUa

Attributes
  • Install_directory

    %AppData%

  • install_file

    MicrosoftEdgeUpdateCore.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5e9991361cc4228bbb1f7c531379f52c2dd8e353af3f27b0d87a2c0d75b4e7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3384
    • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe
      "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftEdgeUpdateCore.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftEdgeUpdateCore" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4140
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
  • C:\Windows\System32\mousocoreworker.exe
    C:\Windows\System32\mousocoreworker.exe -Embedding
    1⤵
      PID:3384
    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateCore.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:384

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftEdgeUpdateCore.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      991693ae1b09c8ed9370baaeeafc520a

      SHA1

      dbb9c226718fb76d9950f0e307232c53ffd0f9fc

      SHA256

      700adce5ca24ff9297a1f473642b4e39e980d94f847e6bd2edc66a23620d4ce5

      SHA512

      d321e4bf062443859ed2b7f007fc05657bb1fa277ddb09993e5edded25cd2d28dd6290c650d5759eb5aa32f3332b8285fca9ed2d8f784a40331a35b8eb8384b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      34f595487e6bfd1d11c7de88ee50356a

      SHA1

      4caad088c15766cc0fa1f42009260e9a02f953bb

      SHA256

      0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

      SHA512

      10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ba169f4dcbbf147fe78ef0061a95e83b

      SHA1

      92a571a6eef49fff666e0f62a3545bcd1cdcda67

      SHA256

      5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

      SHA512

      8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeUpdateCore.exe
      Filesize

      46KB

      MD5

      2503793e2d46fa767edc9876cc37dc40

      SHA1

      fd0cebfa85c216438eab222bc8ce5d45274d176a

      SHA256

      c20f68bf306f02f68adc562a6b33cd2b9903ac9384bdb56a666c089b436239c8

      SHA512

      23879c2b7340310c4ae9a5e234160c3d3951f087a678fbb794a3d560978fa7d8d4a78057a2830c2e49182d191072bb41ef94a87d0b1b1677d54340d40af9ebeb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yyxzltwd.1mw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1900-32-0x0000000000BF0000-0x0000000000C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2344-20-0x00007FFF14EE0000-0x00007FFF159A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-0-0x00007FFF14EE3000-0x00007FFF14EE5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2344-33-0x00007FFF14EE0000-0x00007FFF159A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-1-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3384-17-0x00007FFF14EE0000-0x00007FFF159A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3384-14-0x00007FFF14EE0000-0x00007FFF159A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3384-13-0x00007FFF14EE0000-0x00007FFF159A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3384-12-0x00007FFF14EE0000-0x00007FFF159A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3384-9-0x0000028229450000-0x0000028229472000-memory.dmp

      Filesize

      136KB

      Download